Up To 1.5 Million Visa, MasterCard Credit Card Numbers Stolen

An anonymous reader writes "Global Payments, the U.S.-based credit card processor company that experienced a security breach affecting Visa and MasterCard, confirmed that the breached portion of its processing system was confined to North America. The company also finally revealed how many credit card numbers were stolen: around 1,500,000."

Recourse?

[mws1066]

And what recourse do card holders have? How do we know if our number was stolen, passed around, and now someone is just holding onto it indefinitely and might leap to use it after this whole thing blows over? A bit frightening.

Re:Recourse?

[robinsonne]

None whatsoever, but maybe I should go on a spending spree and max out my card so that the crook(s) have to pay my bill before they can do anything with my card!

Re:Recourse?

[Bigby]

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

And VISA already dropped Global Payments. Let the market and common law handle this...

Re:Recourse?

[jmauro]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Re:Recourse?

My bank called me...but then again it wasn't until after charges were made to my account. The jack@$$3$ wiped me out...now I have to go to my bank, and fill out an Affidavit of Fraud to get my money back. I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages (as well as assist with the cancellation of cards, since everyone should cancel a stolen card)...too bad that will never happen. I didn't choose for GP to be the processing system used with my card, so I don't feel like this is my fault.

I would cancel my card right away and ask for a new one. It will be a minor inconvenience for you, but could prevent trouble in the future.

Re:Recourse?

[MetalliQaZ]

I assume that by "the crooks" you mean Mastercard and Visa, right? :)

Re:Recourse?

I think that Global Payments should be forced to contact all people who had their information stolen AND re-imburse them for any damages

Your recourse is through your bank and/or card issuer, not the processor, and that fact is greatly beneficial to you. A massive breach could easily put a company out of business, especially if that company were already in trouble. In that situation, if they were liable for your losses, you would have to wait years for bankruptcy court to sort it out, and you would likely only get back a portion of your losses. The bank that issued your card is legally required to have the cash on hand to be able to pay you back, so it works out much better for you that it is their obligation. Yes, you may have to fill out a few forms, and your money will not come back instantaneously, but I don't think there's a constitutional amendment requiring that you never be mildly inconvenienced, so suck it up and take it. Shit happens.

Re:Recourse?

[modernzombie]

My bank called me a couple months ago (not related to this incident) and said that they were cancelling my card and issuing me a new one because they had reason to believe it could have been compromised even though no fraudulent charges had been made. This seems like the appropriate thing to do. The card issuers should be contacting their customers to have the cards replaced.

Re:Recourse?

[Qzukk]

You could, oh I don't know, cancel your cards and replace them? But I guess complaining about it on /. is more fun.

That's not "recourse" that's "damage control".

Re:Recourse?

[SniperJoe]

Actually, that's not true at all. If you fail to report fraudulent transactions within 60 days of statement mailing, the bank and/or credit card company is not responsible for any investigation or repayment under the Fair Credit Billing Act.

http://www.ftc.gov/bcp/edu/pubs/consumer/credit/cre04.shtm

Re:Recourse?

[CubicleZombie]

And what recourse do card holders have?

Cash still works. For now, anyways.

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Aside from this, it seems likely they will notify the people who were affected and issue them new cards if they can identify who they were. It may not be possible to tell which numbers were stolen, only which were exposed.

Re:Recourse?

[tripleevenfall]

We give trucker cap. Look good for ladies.

Re:Recourse?

[X0563511]

Yes. My bank is not exactly one known for good behavior, but that said all it takes is a phone call for them to wipe the offending transactions, give me my money back, and start an investigation. Note I get my money back first. I've never once had them come back and go "hmm, no actually we want out cash back" - and I've had to do this some 10 times over the years.

Re:Recourse?

[RobertLTux]

"this is less helpful when you travel all the time. oh hey look I'm away from home and now my card doesn't work. how convenient. I still have another week of business to do here. thanks visa."

then they should not trigger unless they see "you" travel outside of your normal range (ie you mostly travel on the east coast of the US and they see "you" charge something in say China.).

Re:Recourse?

[neokushan]

Give me your CC number and I'll let you know if it's one of the compromised ones.

>_>

Re:Recourse?

[s0nicfreak]

Since when is maxing out your own credit card illegal?

Re:Recourse?

[KhabaLox]

GP should be fine. It looks like the average loss is anywhere from $1 to $10 per account, so they're looking at an upper bound of $15-$20m, or about 5% of their unrestricted cash assets.

From an article linked to in TFA:

Global Payments, the processor blamed for a Visa and Mastercard data breach last week, is likely to be able to manage its financial hit related to beefing up security. ...
If that figure sticks, Global Payments can weather the data breach, analysts said. For instance, Wells Fargo Timothy Willi said in a research note that Global Payments, which has $300 million to $400 million in unrestricted cash, can pay for the damage.

Willi’s take, which lines up with other analysts, is based on the data breach suffered by Heartland in 2008. Heartland is another payment processor and the accounts compromised ran as high as 130 million in a breach that lasted for months. Heartland’s tab to data has been $147 million.

Given Global Payments’ compromised accounts is about 10 million the tab should be lower. RBS WorldPay also had 1.5 million accounts compromised with $9 million of fraud losses.

Re:Recourse?

[s0nicfreak]

But that isn't what he said. He said the crooks would have to pay his bill before they could use his card.

Re:Recourse?

[whoever57]

Which is why you're supposed to tell your travel schedule to your credit card companies. Lazy or a troll?

Recent experience: My wife went to the UK (we live in the USA) recently. I phoned the credit card company in advance and told them she would be in the UK. Cards on the account have been used in the UK on a fairly regular basis. Her card was suspended within a couple of days of her arrival. So, what's the point of calling the credit card company?

Re:Recourse?

[Rakishi]

Debit != Credit.

Learn the difference and learn to read before commenting next time.

Debit cards are stupid for just the reasons you listed, all of which credit cards are basically immune to.

Re:Recourse?

[KingMotley]

I didn't choose for GP to be the processing system used with my card

Sure you did, you just didn't check. You could have went to another merchant, but you decided not to, or that checking who they were going to use to process your credit card wasn't worth the trouble. I'm quite guilty of this myself. But you (we) did have the opportunity to find out and use something else, but we didn't because we couldn't be bothered. The risk was low enough that it wasn't worth the trouble. Until this happens often enough that people actually do think it's worth the bother, it will continue. It being companies that are supposed to safe guard your information don't. Simply because it's cheaper and more cost effective not to. Of course merchants will use whomever is cheapest, until there is a reason (people refuse to shop with them) to actually justify using 3rd parties who actually secure your information.

Re:Recourse?

[tripleevenfall]

I had a Citi mastercard which had some fraudulent charges posted to it... two different charges for Italian dresses, about $300 each. (what the heck?)

I called and reported it. I had to sign an affidavit of fraud and fax it back to them. They canceled my old card and overnighted me a new one, and the charge came off the account about a week later. It was really pretty easy.

Re:Recourse?

[tripleevenfall]

The burden on the consumer to protect themselves is not high. All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Why should I be doing this? I make dozens, perhaps hundreds of transactions each month. My looking over my statement is easily subject to human error.

Why should you look after your own finances? I wouldn't think higher critical reasoning would be required to convince you to do so.

Re:Recourse?

Whether it is used now or later, you are not liable. Your recourse is that you are NEVER liable for credit card transactions.

Bwahahaha! You've never had to experience the nightmare of having fraudulent transactions on your c/card, have you? The issuers make you jump through a ridiculous number of hoops, legal papers, police statements, that unless you have large sums against you, you simply give up trying to to remove them.

It's a complete myth you can reverse transaction on credit cards, perpetuated by Visa and Co to keep the public in happy blindness. At least until they experience the problems for themselves.

Re:Recourse?

[Solandri]

Don't do that. The banks and credit card companies have gamed it so that they don't pay for fraud - the merchants do. They've made it the merchant's responsibility to make sure the card is not being used fraudulently, while simultaneously pushing through a law which prohibits declining a card because the user refuses to show ID (because that would, y'know, discourage credit card use*). If you contest a charge and the merchant cannot prove that you actually made the charge (usually a copy of your signature on the charge slip), the processor will reverse the payment. The merchant is out the money and the merchandise. The card processor suffers the minor inconvenience of having to pay someone to field your phone call and having to run a second transaction to reverse the initial purchase. That is why some places will ask for your zip code or home phone number, or won't deliver to anywhere but your home address when you buy with a card. Those are the only tools merchants have to prevent fraud.

* They also pushed through a law prohibiting merchants from charging extra for credit card transactions to cover the additional risk of fraud. Some merchants get around it by offering a cash discount.

Re:Recourse?

[rmandevi]

That would have to be a pretty cagey crook. The breach occurred January-February. Global reported the breach to Visa, MasterCard, and Federal authorities once they detected it last month (source: http://phx.corporate-ir.net/phoenix.zhtml?c=125339&p=irol-newsArticle&ID=1678656&highlight=). The news only came out Friday to give the Feds enough time to investigate without tipping anyone off. Truth in posting: I work for one of Global's competitors.

Re:Recourse?

[sexconker]

Well, yes, at least these are CREDIT cards, not bank cards. This is exactly why I don't have a bank card and only use a credit card - at least it provides a buffer to my money. If I see charges on a bill that are suspect, I don't HAVE to write the credit card company a check. But if a criminal got a hold of someone's bank card...

Maybe I'm wrong - does anyone use a bank card and feel safe?

I left Bank of America because of this (and other, previous horse shit).
Some scam "company" initiated an ACH transaction against my checking account (not even a debit purchase, it was straight ACH).

They farm account numbers from dumpsters, internets, and call center slaves who are easy to bribe. Then they initiate fraudulent transactions for "supplemental medical insurance". You can go to their various shell websites and quickly see that the insurance is of course non-existent. The only service they offer is theft.

So I called Bank of America and said "This is bullshit." and they wanted to do the whole 7-10 day, affidavit, wait to get my money back, horseshit.
I got my money back faster (from the company) by threatening to sue and reporting them to the NY State Attorney's office.

Bank of America said they could not (would not) block future transactions from that company. Sure, they could block debits from that company for the same amount (down to the cent), so if they try to take $49.95 they can't get it, but if they try $49.96 or $4999.95 they get it instantly. BoA wouldn't even let me file a complaint against them. Since I had gotten my money back, they refused to let me file a claim where I did not seek a refund. Of course, why would the bank want to make my money secure or investigate fraud? They profit off transactions, interest, fees, fraudulent charges, etc.

My only option, according to BoA, was to open a new checking account to get a new number that hopefully they wouldn't be able to steal.
So I did. Except the new checking account wasn't at BoA.

Re:Recourse?

[penix1]

The problem with that analysis is it doesn't take into account the hit to reputation. These companies only exist because of trust that the data is correct and secure. Loss of that trust means people will jump ship faster than rats leaving a sinking ship. I suspect the only reason Heartland survived was it is an industry that is "too big to fail" meaning there are very few processors out there for people to jump ship to that hasn't suffered the same problems or worse.

Re:Recourse?

[Rakishi]

Wow, did a Visa executive make sweet love to your mother or something?

As others have already pointed out, it is just that easy. Visa and Co don't care at all since they don't eat the cost.

Last time I got hit with fraud, a single sale mind you, my card was suspended and I was called before the transaction was even finalized. New card was in my hands within two days and I even had thirty days to switch over any recurrent charges (as the old number stayed valid for those).

Re:Recourse?

[chocolatetrumpet]

All you have to do is what you should already be doing, looking over your statement and reporting anything you have questions about.

Looking over? Doesn't anyone else use electronic bookkeeping and reconcile their bank statements? Money is so hard to come by. It is really worth your while to keep accurate records. And if you're nerdy enough to read this website...

I spend a few minutes each day typing receipts and cash transactions into the computer. Just this very act has increased my savings. My theory is that it helps bring your transactions into consciousness. You can also get all sorts of cool charts and graphs, which helps me decide if I'm really getting good value for my money.

This free and open source accounting application has served me well for years.

I am all for theoretical knowledge, but I really do believe basic bookkeeping should be a standard high school class... I didn't start keeping books for myself until I was into my 20's, and it has been a highly empowering activity.

Re:Recourse?

[lgw]

That's epic-scale lazy right there. The bank is not your friend. Never trust it. You don't just need to check against merchant-side errors, you need to check against errors made by your bank. I've had to switch banks before just because of the frequency of errors.

Sure, sure, everyone should prefer banks that get this stuff right, but how can you know if you don't verify? Talk about oblivious.

Re:Recourse?

[lgw]

Everyone should keep a detailed budget, at least for a while. It really is educaitonal. But if you do that for a few years it becomes an empty ritual - you can manage by exception. What's sad is so very few people these days ever reach that point - it's no wonder that getting into "the 1%" seems impossible for so many. There are fundamental technical skills here that every adult should master (if only high school taught anything practically useful).

Re:Recourse?

Posted anon on purpose.

I work for a credit card company and we give out both Visa and Mastercard. When there is a fraud, WE pay the money. If you need a new card WE pay for that new card.

If you contest a charge and there is anything reasonable (so no cash withdrawal with your PIN code) we will FIRST give you the money back, then start the investigation and if there is no actual fraud (or more likely a fraud attempt of the cardholder) he will see it on a later bill.

This means in many cases that the merchant has the money, the customer has nothing to pay and we end up with the bill.

Now if the USofA would start using a modern system like the rest of the world, instead of still using the magnetic strip confirmed by a signature on the card, use the PIN code system with a chip. This seriously will increase security.

As far as we are concerned, if you go to the US, it will cost US money, because of the backwater system that is used.

Almost all of the world has changed to a more secure system, yet the US is somehow unable to get up to speed.

Will it ecxlude all situations or all fraude? No, but it will seriously reduce it. How? If you do not have the code, you can only try to buy stuff on the Internet. The moment the card is noted as stolen, even that won't work, because the card is blocked from that moment on.

Re:Recourse?

[gstoddart]

They dropped them from the list of "secure" providers. Global Payments is still authorized to handle VISA credit card payments.

Wait, VISA will still let insecure providers to process transactions?

That makes no sense whatsoever. (I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

That's kind of letting a known burglar work for an alarm company. It kind of defeats the purpose in the first place.

Re:Recourse?

[Raenex]

Wait, VISA will still let insecure providers to process transactions?

Global Payments is a huge provider, and Visa couldn't just stop processing payments from them without impacting a huge number of merchants.

(I'm not disputing what you're saying, I just find it amazing they'd let someone who doesn't have good data security anywhere near transactions.)

Even companies who have good security can suffer a breach. I haven't seen any details on what happened, whether it was gross negligence, an inside job, or what. To even be processing with Visa, you have to pass security audits for basic procedures. They'll get whatever went wrong fixed and re-apply for approval.

The real problem here is the reliance on "secret" data (your credit card number) that is published on every transaction. With so many people and organizations involved, it's inevitable that these leaks will happen.

It's 2012. There are much better solutions using smart cards and public/private keys.

Re:Recourse?

[hairyfeet]

Uhhh...use a small bank that won't fuck you over maybe? Every time any of this kinda crap happens i get a new card issued to me by my bank "just in case' and been told flat footed 'if anybody messes with your account don't worry, just let us know and we'll take care of it, no problem" and actually got to test it last year when ordering some parts and PCs and a company double dipped. i just walked in to my local branch, walked up to the teller i always go to and said 'hey Karen, can you believe i bought something online and they double charged me" and she said 'Ohhh, don't you just HATE that? That happened to my husband a couple of weeks back...now lets see...is it this one right here? okay let me punch this in and...tada! Give the system about 5 minutes to update and it'll be like it never happened" and i thanked her and after BSing a minute walked out and sure enough, like it never happened.

Hell i don't even worry about using my debit card out anymore, its covered to the penny by my bank and one phone call or trip to the local branch and its all taken care of, no muss and no fuss. that's the nice thing about using a small bank, they get to know you and treat you like a person and not a wallet with feet. when i go in to the one on the east side (where my mom banks) I get asked about her and how the oldest is doing in college, i go to the west side (the one my dad uses) I get asked about how dad is doing and get to hear ALL the latest gossip (we call that branch the "hen's nest" for all the gossiping going on) and its nice. no hassles, friendly folks, no worries.

I wonder if this is why i just got new cards even though mine had a year left to go? When these things happen they usually tell the banks first and i'm really happy with how proactive mine has been, if there is even the slightest hint someone may have gotten a number we get new cards. They even called and left me a message to go check my mail for new cards and if they weren't there to come on by and they'd issue a temp card and sure enough they had new cards waiting for me and the next day new PINs. no muss, no fuss, no hassle, i wouldn't change banks for anything.

Re:Recourse?

[Kalriath]

That usually means the bank has placed a transaction block on that merchant - mine does the same with Entropay. It actually means it requires manual intervention to perform the transaction. In my case, I need a bank person on the phone to force the payment through.

ANother grain of sand

[geekoid]

on top of my theory that digital cash will prove to difficult to protect and ultimately fail; which is a shame, I like digital cash.

Where is the list ?

[Lennie]

I want to check if mine is on the list ;-)

Re:Where is the list ?

[HaaPoo]

I have the list, give you number to me to verify.

New Security Model

[MetalliQaZ]

That government guy from the cyberwar scare story last week had it right... We need a new security model. Just assume that your credit card numbers, your social security number, etc., are already compromised. Those things were never designed to be secure, and companies that we trust with this data simply can't keep them safe. We just have to accept that the bad guys are all up in our business and adjust our practices accordingly. We could do it.

Re:New Security Model

[nine-times]

Well it's not so much "we need a new security model" as "we need a security model". As you said, these things were never designed to be secure in the first place.

Lots of businesses and government organizations use your SSN as an authentication method-- i.e. knowing your SSN is considered proof that you are who you say you are. However, your SSN is also just your ID number, and you're constantly being asked to provide it to people. In computer terms, it would be like asking people to use the same username in lots of different places, and then having everyone use their username as their password.

IMO we should be using some kind of private-key encryption to verify identity. I don't like the idea of being forced to identify yourself, but if they're requiring some kind of verification/authentication, it should at least be secure. Of course, this would also require us to develop and deploy an additional layer of infrastructure for providing/reading/revoking these private keys, and it would also raise questions of whether/when/how we want to allow anonymity in such a system. There are lots of issues to work out, but we should be working on it.

Re:New Security Model

[jez9999]

Indeed, 'cards' as a throwback from the 90s and it's a shame they're still widespread. I've been thinking for a while now that instead of issuing you with a 'card', the banks should switch to issuing you with something akin to an RSA SecurID tag. You attach it to your keyring and it has a number that changes every 30 seconds or something, which you must supply to login to online banking or make online transactions. For physical transactions, RFID could be used combined with a PIN. Lose the thing and you phone up and cancel it immediately. This should stop a lot of the fraud that happens, and in theory there's no way to defeat it unless that bank's system themselves are compromised.

Re:New Security Model

[KhabaLox]

Welcome to Mexico.

Does this mean you have RFID key fobs or compromised banks? I want to assume the latter, but I also don't want to be racist.

Can't steal a number

[Thanshin]

You can't steal a number! It's not stealing if you still have your copy of the number! It's copyright infringement at the most.

Also, if put them one after the other, they stole a single number!

73

There you are, you can keep that number in exchange. I never liked 73 anyway.

You're welcome.

Easy fix

[alaffin]

The thing is there are so many better ways to do things right now. For starters, you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards. Chip and pin isn't perfect, but it's better than a magnetic stripe and a signature. For card not present transactions allow Visa card holders to create a one time credit card number (with a maximum limit) via the internet or over the phone. Want to buy something on line? Generate your own credit card number to the exact value of what you're buying. That CC # number expires at the end of the day - meaning that even if you gave it a ridiculous limit and then sent it to a shady site they'd have 24 hours to use it.

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

Re:Easy fix

[Chatterton]

The problem is that for the bank the money lost is 'minimal'. In the 50 billion $ a year of CC fraud, most of that amount is lost by the merchants and not the bank. The chargeback is from the merchant to the card owner, but the merchand didn't get the sold product back. Now, if a law say that the fraud should be at the charge of the banks, you can be sure that the fixes will be implemented in the following hour !!!

Re:Easy fix

[rickb928]

"you could force any retailer that wants to accept credit cards to upgrade to a chip and pin setup or lose their ability to accept credit cards."

Um, the players in this aren't interested yet. The cost of replacing cards ia high enough for them to avoid it until 'forced', and not by 'you'. the government maybe, or a bank that gets burned too much to bear. In Britain, little old ladies are being shoulder-surfed at ATMs and wiped out, and since it's chip and pin, the banks hold onto their policies and refuse to make them good - see, chip and pin is most useful as a risk-shifiting device. The bank is off the hook because it is 'so secure' that you must have given your pin to someone. Your fault. Card not present transactions are a different story...

"For card not present transactions allow Visa card holders to create a one time credit card number"

This already is possible. Ask your bank, and if they don't, maybe you need a new bank. These go by several different names.

Re:Easy fix

[tgd]

Of course implementing these fixes would cost more than just paying the scammers, so we'll never see it happen.

It has -- quite literally -- nothing to do with the cost of the fixes. Most of the world has already gone chip+PIN. The reason you don't see it in the US is very simple: it slows down the transaction. That's why Visa and MC have been pushing for contactless payments. Tap your card and off you go. Simple as that. Its also why most stores no longer require signatures under $25 -- the networks have mandated that. You can actually lose your merchant account or pay penalties if you are caught asking people to sign for low-cost transactions.

The banks make money from people using the cards. They know exactly how much they lose from fraud, and how much they lose from slowing down transactions. As long as the latter is more than the former, nothing will change. You saw the change elsewhere because the spending patterns aren't the same as in the US, and fraud rates were higher.

Re:Many hats

[who_stole_my_kidneys]

I have to disagree. If your in the business of Security, just focusing on implementing PCI compliance or SOX or SEC etc. recommendations leaves you clue less to how hackers actually penetrate networks. You need to know more about what it is your running and how to mitigate other exploitable features that are not included in some compliance mandates. And the best way to learn that, get your hands dirty.

How many?

[rickb928]

Krebs on Security stated the number was 10 million. GP and all initially admitted to 50,000.

I'm betting on Krebs. He's pretty reliable, or at least his sources are.

Re:Nothing was stolen

[dkleinsc]

Let me make your argument a different way, now tell me what the difference was:
(A) Smith borrowed the keys to Johnson's car, went to a locksmith and made a copy, gave Johnson his keys back as promised, and then sold the key to a guy who stole everything in the car.
(B) Jones sat down in front of a photograph by Johnson hanging in the gallery and took a photograph of it that looked essentially identical, and developed that photo of a photo in large prints for his wall and his friends.

There's plainly a legal and moral difference between what Smith did and what Jones did, even though both Smith and Jones took nothing directly from Johnson.

Re:Nothing was stolen

[ACS+Solver]

Idiotic argument. The problem isn't the criminals having the card numbers per se. The problem is that these numbers can then be used to steal your money - as in actually steal because you won't have the money afterwards.